Date: Fri, 16 Aug 2013 09:51:17 -0500 [10:51:17 EDT]
From: Wells Fargo Event Messaging Admin [ofsrep.ceosmuigw@wellsfargo.com]
Subject: CEO Portal Statements & Notices Event
Wells Fargo
Commercial Electronic Office (CEO) Portal Statements & Notices Event: Multiple Download Request Available
Your Deposit Adjustment Notices is now available. To access your information please download attached report and open Statements & Notices file.
Date/Time Stamp: Fri, 16 Aug 2013 09:51:17 -0500
Request Name: MM3P85NRLOXLOFJ
Event Message ID: S045-77988311
Please do not reply to this email.
The email has an attachment called report_625859705821.zip which in turn contains an exectuable report_{DIGIT[12]}.exe (which presumably is an error) which has a VirusTotal detection rate of 9/46. The Malwr report shows that this malware does various things, inclding an HTTP request to a hijacked GoDaddy domain at [donotclick]hubbywifeco.com/forum/viewtopic.php hosted on 66.151.138.80 (Nuclear Fallout Enterprises, US) which is shared with another hijacked domain, hubbywifecakes.com.
From there, another executable is downloaded from one of the following locations:
[donotclick]208.106.130.52/39UvZmv.exe
[donotclick]demoscreactivo.com/DKM9.exe
[donotclick]roundaboutcellars.com/Utuw1.exe
[donotclick]bbsmfg.biz/VKPqrms.exe
This executable has an even lower detection rate of just 5/46. You can see the Malwr report for that here.
Blocking EXE-in-ZIP files like this at your perimeter is an excellent idea if you can do it.
Recommended blocklist:
66.151.138.80
hubbywifeco.com
hubbywifecakes.com
208.106.130.52
demoscreactivo.com
roundaboutcellars.com
bbsmfg.biz
No comments:
Post a Comment